General
-
Target
103ddbecf62984789f874fb2d4ec846feeef6d40c191bc35285379a7c6d77228
-
Size
409KB
-
Sample
220521-ervprshfe7
-
MD5
845f30f2eb3538e95b984784090ee1b1
-
SHA1
dae418bbb418d0cf4b7488e8143afe52105cdf70
-
SHA256
103ddbecf62984789f874fb2d4ec846feeef6d40c191bc35285379a7c6d77228
-
SHA512
ef9cc82b00f1d033b5768dfb9f102e35692f7ae6f6ab92bbd2085630353ca70571335f465a53ffcd1d90b55b72eb90d7dee10c1a368ed9b806fd2cb73869cdb9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mosaiclayouts.com - Port:
587 - Username:
sales@mosaiclayouts.com - Password:
UY$W4+]^+9;)7CF5
Targets
-
-
Target
Quotation sheet.doc
-
Size
32KB
-
MD5
3759688eef1380d504950f2d182feb2a
-
SHA1
d04c71e2fbdd885b812b0abff05ab9381f84b35c
-
SHA256
d28b9b95666eb49011c60d4cf91b42ae39e3f9e388f4d87f3e63c55626d54bb4
-
SHA512
a3ee0cdb252ef8cfd0495964e846538eaba3e24f9b744858d47b07512b3f17e011b69e59b39b012a21b0da16e3113d71be66cf6fd6d0a9b2e9c2484e01f03690
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
-
-
Target
offer_pdf.bat
-
Size
698KB
-
MD5
d6c4a40b53155650b55182e4e51e0e26
-
SHA1
4af700b05b0a551c95db315e486895c8610e8169
-
SHA256
ddefa12712998a6705858c96559d4f08a6f75615298c321be7eecc1a60ccc04f
-
SHA512
a81667f40aa9f6643b6b8214f557ecf5da7d6f404c00b1ba52076b3da58326c9a75a8c32ede0845145171123d2b231552691327b29a7d4e120f4a9cdeca4e238
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops startup file
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-